b'     Department of Homeland Security\n\n     \xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\xef\xbf\xbd\n\n\n\n     Department of Homeland Security\xe2\x80\x99s FY 2013 \n\n      Compliance with the Improper Payments \n\n        Elimination and Recovery Act of 2010 \n\n\n\n\n\nOIG-14-64                                  April 2014\n\n\x0c                        OFFICE OF INSPECTOR GENERAL \n\n                               Department of Homeland Security \n\n                                  Washington, DC 20528 / www.oig.dhs.gov\n\n\n                                          APR 14 2014\n\n    MEMORANDUM FOR:              Stacy Marcott\n                                 Deputy Chief Financial Officer\n\n    FROM:                        Anne L. Richards\n                                 Assistant Inspector General for Audits\n\n    SUBJECT:                     DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf2013fCompliancef\n                                 withfthefImproperfPaymentsfEliminationfandfRecoveryfActf\n                                 off2010ff\n\n    Attached for your information is our final report, DepartmentfoffHomelandfSecurity\xe2\x80\x99sf\n    FYf2013fCompliancefwithfthefImproperfPaymentsfEliminationfandfRecoveryfActfoff2010.\n    We incorporated the formal comments from the Departmental GAO-OIG Liaison Office\n    in the final report.\n\n    This report does not contain any new recommendations. However, one\n    recommendation from our report DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf2012f\n    CompliancefwithfthefImproperfPaymentsfEliminationfandfRecoveryfActfoff2010,\n    OIG-13-47, March 2013, remains open and resolved. Once your office has fully\n    implemented the recommendation, please submit a formal closeout request to us\n    within 30 days so that we may close the recommendation. The request should be\n    accompanied by evidence of completion of agreed-upon corrective actions.\n\n    Consistent with our responsibility under the InspectorfGeneralfAct, we will provide\n    copies of our report to appropriate congressional committees with oversight and\n    appropriation responsibility over the Department of Homeland Security. We will post\n    the report on our website for public dissemination.\n\n    Please call me with any questions, or your staff may contact Mark Bell, Deputy Assistant\n    Inspector General for Audits, at (202) 254-4100.\n\n    Attachment\n\n\n\n\n\n\n\x0c                                 OFFICE OF INSPECTOR GENERAL \n\n                                            Department of Homeland Security \n\n\n\n   Table of Contents\n   Executive Summary ............................................................................................................ 1\n\n\n   Background ........................................................................................................................ 2\n\n\n   Results of Audit .................................................................................................................. 3\n\n\n              DHS\xe2\x80\x99 Compliance with IPERA .................................................................................. 3\n\n              Accuracy and Completeness of DHS\xe2\x80\x99 Improper Payment Reporting...................... 4\n\n              Reducing and Recapturing Improper Payments ..................................................... 8\n\n              Disbursement Testing ............................................................................................. 8\n\n\n   Appendixes\n              Appendix A:           Objectives, Scope, and Methodology ............................................. 9\n\n              Appendix B:           Management Comments to the Draft Report .............................. 12 \n\n              Appendix C:           IPERA Process ................................................................................ 14 \n\n              Appendix D:           Open and Resolved Recommendation ......................................... 17 \n\n              Appendix E:           DHS IPERA Risk Conditions............................................................ 18 \n\n              Appendix F:           Major Contributors to This Report ............................................... 22 \n\n              Appendix G:           Report Distribution ....................................................................... 23 \n\n\n\n\n\n   Abbreviations\n              AFR                   Annual Financial Report/Agency Financial Report1\n              CBP                   U.S. Customs and Border Protection\n              CFO                   Chief Financial Officer\n              DHS                   Department of Homeland Security\n              DNDO                  Domestic Nuclear Detection Office\n              FEMA                  Federal Emergency Management Agency\n              FY                    fiscal year\n              IPERA                 ImproperfPaymentsfEliminationfandfRecoveryfActfoff2010\n              IPIA                  ImproperfPaymentsfInformationfActfoff2002\n              OIG                   Office of Inspector General\n              OMB                   Office of Management and Budget\n\n   1\n    Annual Financial Report and Agency Financial Report are used synonymously throughout Federal\n   guidance. For the purpose of this report, AFR will represent both the Annual Financial Report and Agency\n   Financial Report.\n\nwww.oig.dhs.gov                                                                                                                 OIG-14-64 \n\n\x0c                  OFFICE OF INSPECTOR GENERAL \n\n                        Department of Homeland Security \n\n\n\n           RM&A    Risk Management and Assurance\n           TSA     Transportation Security Administration\n           USCG    United States Coast Guard\n           USSS    United States Secret Service\n\n\n\n\nwww.oig.dhs.gov                                             OIG-14-64\n\n\x0c                      OFFICE OF INSPECTOR GENERAL \n\n                             Department of Homeland Security \n\n\n\n   Executive Summary\n   In fiscal year (FY) 2010, the Federal government\xe2\x80\x99s total improper payment amount\n   reached $121 billion. In that same year, Congress passed the ImproperfPaymentsf\n   EliminationfandfRecoveryfActfoff2010 (the Act) in an effort to reduce improper\n   payments. In addition to reducing improper payments, the Act requires each agency\xe2\x80\x99s\n   Inspector General to determine whether the agency complies with the Act annually.\n   Since the implementation of the Act, DHS has reduced it improper payment amount\n   from $222 million in FY 2011 to $178 million in FY 2013.\n\n   Our audit objective was to determine whether the Department of Homeland Security\n   (DHS) complied with the Act in fiscal year 2013. In addition, we also evaluated the\n   accuracy and completeness of DHS\xe2\x80\x99 improper payment reporting and its efforts to\n   reduce and recover improper payments for fiscal year 2013.\n\n   We contracted with an independent public accounting firm, KPMG LLP, to determine\n   whether DHS complied with the Act. KPMG LLP did not identify any instances of\n   noncompliance with the Act.\n\n   We reviewed the accuracy and completeness of DHS\xe2\x80\x99 improper payment reporting and\n   DHS\xe2\x80\x99 efforts to reduce and recover improper payments. DHS has made significant\n   improvements to its processes in the past year to help ensure the accuracy and\n   completeness in reporting improper payments and in its efforts to reduce and recover\n   overpayments. Specifically, in the past year DHS has\xe2\x80\x94\n\n       \xe2\x80\xa2\t segregated duties appropriately;\n       \xe2\x80\xa2\t improved its review processes to help ensure that components\xe2\x80\x99 risk assessments\n          are properly supported;\n       \xe2\x80\xa2\t improved its policies and procedures to identify, reduce, and report improper\n          payments; and\n       \xe2\x80\xa2\t improved its improper payment recovery efforts.\n\n   We did not make any new recommendations in this year\xe2\x80\x99s report. However, one\n   recommendation in last year\xe2\x80\x99s report, DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf2012f\n   CompliancefwithfthefImproperfPaymentsfEliminationfandfRecoveryfActfoff2010, OIG-13-\n   47, March 2013, remains open and resolved.\n\n\n\n\nwww.oig.dhs.gov                              1\t                                     OIG-14-64\n\n\x0c                       OFFICE OF INSPECTOR GENERAL \n\n                              Department of Homeland Security \n\n\n\n   Background\n   On July 22, 2010, the President signed Public Law 111-204, ImproperfPaymentsf\n   EliminationfandfRecoveryfActfoff2010 (IPERA or the Act). IPERA requires that the head of\n   each agency periodically review all programs and activities administered, and identify\n   those that may be susceptible to significant improper payments. For each program\n   identified as susceptible to significant improper payments, the agency is required to\n   produce a statistically valid estimate of the improper payments made by each program\n   and activity. The agency is also required to include those estimates in the materials\n   accompanying the agency\xe2\x80\x99s annual financial statement. See appendix C for additional\n   information on the IPERA process.\n\n   The Office of Management and Budget (OMB) issued Circular A-123, Appendix C,\n   RequirementsfforfEffectivefMeasurementfandfRemediationfoffImproperfPayments,\n   revised parts I and II, April 14, 2011, as guidance for agencies to implement the\n   requirements of IPERA. This guidance also describes the responsibilities of Inspectors\n   General in determining their respective agency\xe2\x80\x99s compliance with IPERA. In accordance\n   with OMB\xe2\x80\x99s guidance, the Inspector General should review improper payment reporting\n   in the Agency Financial Report (AFR) and any accompanying information to ensure\n   compliance with IPERA. As part of that review, the Inspector General should evaluate\n   the accuracy and completeness of agency reporting, and evaluate agency efforts to\n   reduce and recover improper payments, among other things.\n\n   The DHS Office of Inspector General (OIG) has previously issued two reports on DHS\xe2\x80\x99\n   compliance with the Act and the Department\xe2\x80\x99s efforts to reduce and recover improper\n   payments. In the report, DepartmentfoffHomelandfSecurity\xe2\x80\x99sfCompliancefwithfthef\n   ImproperfPaymentsfEliminationfandfRecoveryfActfoff2010, OIG-12-48, issued March\n   2012, we identified that the Department needed to:\n\n       \xe2\x80\xa2   improve controls to ensure completeness and accuracy of reporting;\n       \xe2\x80\xa2   improve guidance; and\n       \xe2\x80\xa2   increase efforts to recover improper payments.\n\n   Specifically, the Department should ensure that all payments subject to testing are\n   tested and reported and that recovery audit rates are reported accurately. Independent\n   parties should perform test work and review sample payments. Also, the Department\n   should develop guidance on applying results of test work using alternative sampling\n   methodologies. Finally, the Department should perform recovery audits when cost\n   effective, and those audits should target payments with a higher potential for\n   overpayment and recovery.\n\n\nwww.oig.dhs.gov                               2                                       OIG-14-64\n\n\x0c                          OFFICE OF INSPECTOR GENERAL \n\n                                 Department of Homeland Security \n\n\n\n   In the report, DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf2012fCompliancefwithfthe\n   ImproperfPaymentsfEliminationfandfRecoveryfActfoff2010, OIG-13-47, issued March\n   2013, we identified that DHS needed to improve controls to ensure the accuracy and\n   completeness of improper payment reporting. Specifically, it needed to improve its\n   review processes to ensure that the risk assessments properly support the components\xe2\x80\x99\n   determination of programs susceptible to significant improper payments. Furthermore,\n   DHS needed to segregate duties adequately and improve its policies and procedures to\n   identify, reduce, and report DHS and the components\xe2\x80\x99 improper payments.\n\n   Results of Audit\n   To comply with IPERA, an agency is required to conduct risk assessments and report and\n   publish the results of selected program testing in its AFR. It must also achieve and report\n   improper payment rates of less than 10 percent for each program. KPMG LLP (KPMG)\n   did not identify any instances of noncompliance with IPERA.\n\n   Additionally, we reviewed DHS\xe2\x80\x99 processes and procedures for estimating its annual\n   improper payment rates. Based on our review, DHS has improved its internal controls\n   over the accuracy and completeness of agency reporting and in its efforts in to reduce\n   and recover overpayments. Specifically, we did not identify any new internal control\n   weaknesses in the current year. Also, DHS and the components\xe2\x80\x99 efforts in the past year\n   have closed many of the open recommendations from the reports\xe2\x80\x94Departmentfoff\n   HomelandfSecurity\xe2\x80\x99sfCompliancefwithfthefImproperfPaymentsfEliminationfandfRecoveryf\n   Actfoff2010, OIG-12-48, issued March 2012; and DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf\n   2012fCompliancefwithfthefImproperfPaymentsfEliminationfandfRecoveryfActfoff2010,\n   OIG-13-47, issued March 2013. See appendix D for the one remaining open and resolved\n   recommendation.\n\n   We also determined that the U.S. Customs and Border Protection (CBP) properly\n   performed IPERA disbursement testing for the Border Security Fencing program.\n\n           DHS\xe2\x80\x99 Compliance with IPERA\n\n           We contracted with KPMG to audit DHS to determine whether it met the\n           following requirements prescribed by IPERA:\n\n                  \xe2\x80\xa2\t published an AFR and accompanying information on the agency website,\n                     as required by OMB;\n                  \xe2\x80\xa2\t conducted required program-specific risk assessments;\n                  \xe2\x80\xa2\t published improper payment estimates for high-risk programs;\n\nwww.oig.dhs.gov                                 3\t                                       OIG-14-64\n\n\x0c                           OFFICE OF INSPECTOR GENERAL \n\n                                  Department of Homeland Security \n\n\n\n                  \xe2\x80\xa2\t published programmatic corrective action plans;\n                  \xe2\x80\xa2\t published, and has met, annual reduction targets for programs at risk;\n                  \xe2\x80\xa2\t achieved and reported a gross improper payment rate of less than\n                     10 percent for all programs tested; and\n                  \xe2\x80\xa2\t reported on its efforts to recover improper payments.\n\n           KPMG did not identify any instances of noncompliance with IPERA.\n\n           Accuracy and Completeness of DHS\xe2\x80\x99 Improper Payment Reporting\n\n           DHS has made significant improvements to its IPERA processes in the past year\n           to help ensure the accuracy and completeness of its improper payment\n           reporting. Specifically, DHS has\xe2\x80\x94\n\n                  \xe2\x80\xa2\t segregated duties appropriately;\n                  \xe2\x80\xa2\t improved its review processes to help ensure that components\xe2\x80\x99 risk\n                     assessments are properly supported; and\n                  \xe2\x80\xa2\t improved its policies and procedures to identify, reduce, and report\n                     improper payments.\n\n           Segregation of Duties\n\n           DHS has addressed prior audit concerns of CBP\xe2\x80\x99s segregation of sample testing\n           duties. CBP implemented proper segregation of duties designed to reduce\n           improper payments. In prior audits (fiscal years (FY) 2011 and 2012), CBP did not\n           segregate duties for payment reviewers to minimize the risk of the potentially\n           conflicting goals of correctly assessing payments and the achievement of\n           improper payment reduction targets. The ImproperfPaymentsfReductionf\n           Guidebook,fVersionf3.0f(Guidebook) requires that at a minimum, payment\n           reviewers should not have had a role in processing, approving, and/or disbursing\n           the specific payments under review. During FY 2013, CBP changed its policies to\n           reflect the Guidebook\xe2\x80\x99s requirements. Specifically, the first question of its FY\n           2013 testing checklist now requires the processor to be different from the\n           researcher.\n\n           Components\xe2\x80\x99 Risk Assessments\n\n           Since our FY 2012 audit, components have made some improvements in their\n           processes to support the conclusions made in their risk assessments. Specifically,\n           they interviewed the appropriate program personnel and obtained proper\n\nwww.oig.dhs.gov                                   4\t                                        OIG-14-64\n\n\x0c                           OFFICE OF INSPECTOR GENERAL \n\n                                 Department of Homeland Security \n\n\n\n           approval of the risk assessments. However, some components did not provide\n           sufficient information in their risk assessments that would allow an outside\n           reviewer to understand the key determinants of program risk.\n\n           Risk Assessment Interviews\n\n           In our prior audit, the United States Coast Guard (USCG) and CBP did not always\n           perform interviews as part of their IPERA risk assessment process. Similarly, the\n           Federal Emergency Management Agency (FEMA) performed interviews but did\n           not interview program managers or senior management as required by the DHS\n           Guidebook. During FY 2013, CBP and USCG appropriately performed interviews\n           to support their risk assessments; and FEMA interviewed the appropriate\n           program officials, as required. DHS has addressed prior audit concerns with CBP,\n           USCG, and FEMA\xe2\x80\x99s risk assessment interview process.\n\n           Risk Assessment Approval\n\n           In FY 2012, the CBP Chief Financial Officer (CFO) or Deputy CFO did not review\n           and approve CBP\xe2\x80\x99s final risk assessment prior to DHS Risk Management and\n           Assurance (RM&A) Division\xe2\x80\x99s final review. According to the DHS Guidebook\n           Version 3.0, the Component CFO or Deputy CFO must review and approve risk\n           assessments prior to RM&A Division\xe2\x80\x99s final review and approval. In FY 2013,\n           CBP\xe2\x80\x99s CFO reviewed and approved CBP\xe2\x80\x99s risk assessment as required by the\n           Guidebook. Therefore, DHS has addressed prior audit concerns regarding CBP\xe2\x80\x99s\n           CFO approving its risk assessment prior to RM&A Division\xe2\x80\x99s final review.\n\n           Risk Assessment Support\n\n           Consistently, components have not always provided enough information in their\n           risk assessments that would allow an outside reviewer to understand the key\n           determinants of program risk. The DHS Guidebook requires components to\n           perform a comprehensive risk assessment to identify high-risk programs\n           susceptible to making improper payments. To accomplish this task, the DHS\n           Guidebook requires the components to perform the following:\n\n                  1.\t Identify programs and determine population and scope of the \n\n                      component programs assessed.\n\n                  2.\t Conduct and document interviews.\n                  3.\t Populate a risk template.\n\n\n\nwww.oig.dhs.gov                                  5\t                                    OIG-14-64\n\n\x0c                           OFFICE OF INSPECTOR GENERAL \n\n                                  Department of Homeland Security \n\n\n\n                  4.\t Validate risk elements and weights for each component program \n\n                       evaluated.\n\n                  5. \t Identify programs at significant risk of improper payments.\n\n           Additionally, the DHS Guidebook requires components to evaluate programs\n           across a set of risk conditions, which are factors that directly or indirectly affect\n           the likelihood of improper payments within each program. Factors include\n           payment processing controls, human capital, and operating environment, among\n           others (see appendix E). The Guidebook requires that components assign a\n           weight (risk weight) and score (risk score) to the risk conditions on each\n           program\xe2\x80\x99s overall risk. The risk weight reflects the levelfoffimportancefandf\n           influencefand the risk score reflects the degreefof risk conditions may pose to a\n           particular program. The risk weight explanations should be included in the risk\n           assessment and be understandable to an outside reviewer.\n\n           During our FY 2013 audit, CBP updated its risk assessment to include a rationale\n           for each risk weight and score. However, as reported in FY 2012, the\n           Transportation Security Administration (TSA) and FEMA risk weight explanations\n           did not provide enough information to make them understandable to an outside\n           reviewer. Specifically, all TSA risk weights relied on the following generic\n           statement (or a slight variation of it):\n\n                    AllfTSAfpaymentsfarefprocessedfthroughfthefUSCGfFinancefCenterf\n                    infChesapeake,fVA.fAllfcontractsfpaymentsfarefgenerallyfhandledfinf\n                    thefsamefmanner.fWefdeterminedfthefweightfoffeachfriskfconditionf\n                    basedfonfissuesffoundfduringfexternalfaudits,finternalfcontrolf\n                    reviewsfandfinterviewsfwithfprogramfofficials.\n\n           FEMA changed the risk weights for some risk conditions but used the same\n           explanation for all programs.\n\n           DHS Guidebook\n\n           The DHS Guidebook provided components with background on applicable IPERA\n           guidance and instructions to help the Department meet IPERA requirements. In\n           prior years, components often relied on additional instructions to complete the\n           Guidebook requirements because of the inconsistency of its instructions. The\n           RM&A Division made some improvements to the Guidebook in October 2012\n           with Version 3.0. For example, the Guidebook updated the risk assessment\n           templates; and stated the type of documentation that would be required from\n           components to support risk assessments. The Guidebook also updated risk\n\nwww.oig.dhs.gov                                    6\t                                      OIG-14-64\n\n\x0c                        OFFICE OF INSPECTOR GENERAL \n\n                               Department of Homeland Security \n\n\n\n           assessment questionnaires to be more comprehensive; and expanded the\n           definitions of the risk conditions for payment processing controls and contract\n           management. Because of these measures, DHS has addressed prior audit\n           concerns of modifying the Guidebook to add clarification on how to complete\n           the risk assessment.\n\n           DHS RM&A Division\xe2\x80\x99s Reviews\n\n           DHS RM&A Division has improved its review process to ensure that the\n           components were properly supporting their risk assessments. The Division\n           obtained and reviewed components\xe2\x80\x99 interviews to ensure the risk weights and\n           scores had proper support. It also established standard operating procedures to\n           identify how IPERA reviews and approvals will be coordinated. Despite these\n           improvements, some components\xe2\x80\x99 risk assessments still did not have proper\n           support.\n\n           Risk Assessment Reviews\n\n           During the FY 2012 audit, we determined that RM&A Division\xe2\x80\x99s risk assessment\n           review consisted of comparing the FYs 2011 and 2012 risk weight and score\n           narratives to identify differences. The Division review did not include obtaining\n           and reviewing the summary interviews to ensure that the components properly\n           supported the risk weights and scores. In FY 2013, the RM&A Division began\n           reviewing the submissions and coordinated with the components when\n           necessary to ensure that risk weights and scores are accurate and properly\n           supported. The RM&A Division completed all reviews in March 2013. However,\n           these reviews did not resolve outstanding issues with the support provided for\n           risk weights in TSA and FEMA\xe2\x80\x99s risk assessments.\n\n           Standard Operating Procedures\n\n           Also in the FY 2012 audit, we determined that the RM&A Division frequently\n           reviewed and approved IPERA deliverables using alternative methods instead of\n           the required system. For example, USCG received an email message from the\n           RM&A Division approving the test plan in May, but the system designated to\n           document the test plan did not document RM&A\xe2\x80\x99s approval until September.\n           According to the DHS Guidebook, components must obtain approval from the\n           RM&A Division for each test plan before beginning any test work. In July 2013,\n           the RM&A Division issued Version 1.0 of the Risk, Management, and Assurance,\n           Improper Payments Program, Standard Operating Procedures, which explain\n\nwww.oig.dhs.gov                                7                                        OIG-14-64\n\n\x0c                       OFFICE OF INSPECTOR GENERAL \n\n                               Department of Homeland Security \n\n\n\n           how the Division will coordinate with components to review and approve IPERA\n           test plans. During the current audit, all of the test plans were appropriately\n           approved. This demonstrates that DHS has established standard operating\n           procedures to address prior audit concerns of review and approval coordination\n           with the components.\n\n           Reducing and Recapturing Improper Payments\n\n           DHS has made progress reducing and recapturing improper payments. In the FY\n           2011 audit, not all components conducted payment recovery audits as required\n           by IPERA. Specifically, DHS decided not to perform recovery audits for the\n           Domestic Nuclear Detection Office (DNDO) and TSA. The United States Secret\n           Service (USSS) did not conduct a recovery audit because it did not enter into a\n           recovery audit contract in time to perform an audit in FY 2011. Since the FY 2011\n           audit, DNDO and TSA have properly performed recovery audits as planned and\n           reported in the Department\xe2\x80\x99s AFR. Also, as allowed by IPERA, USSS determined\n           that it was not cost effective to perform recovery audits. DHS has addressed\n           prior audit concerns regarding reducing and recapturing improper payments.\n\n           Disbursement Testing\n\n           CBP properly performed IPERA disbursement testing for the Border Security\n           Fencing program. For FY 2012, CBP disbursed $418.2 million in support of its\n           Border Security Fencing program. As defined in the DHS sampling methodology,\n           CBP tested 186 payments totaling $106.5 million. During FY 2013, we retested\n           109 ($66.8 million) of the original 186 payments and determined that CBP\xe2\x80\x99s\n           improper payment error rate, 0.01 percent, was reasonable.\n\n\n\n\nwww.oig.dhs.gov                                8                                       OIG-14-64\n\n\x0c                       OFFICE OF INSPECTOR GENERAL \n\n                              Department of Homeland Security \n\n\n\n   Appendix A\n   Objectives, Scope, and Methodology\n   The Department of Homeland Security (DHS) Office of Inspector General (OIG) was\n   established by the HomelandfSecurityfActfoff2002 (Public Law 107-296) by amendment\n   to the InspectorfGeneralfActfoff1978. This is one of a series of audit, inspection, and\n   special reports prepared as part of our oversight responsibilities to promote economy,\n   efficiency, and effectiveness within the Department.\n\n   The audit objective was to determine whether DHS complied with the Improperf\n   PaymentsfEliminationfandfRecoveryfActfoff2010fin FY 2013. In addition, we also\n   evaluated the accuracy and completeness of DHS\xe2\x80\x99 improper payment reporting and its\n   efforts in reducing and recovering improper payments for FY 2013.\n\n   The scope of the audit was DHS\xe2\x80\x99 FY 2013 efforts to comply with IPERA. We limited our\n   scope to certain DHS components. We reviewed components identified in our audit,\n   DepartmentfoffHomelandfSecurity\xe2\x80\x99sfFYf2012fCompliancefwithfthefImproperfPayments\n   EliminationfandfRecoveryfActfoff2010, OIG-13-47, issued March 2013, that were working\n   on improving controls to ensure the accuracy and completeness of improper payment\n   reporting. Those components were the United States Coast Guard, U.S. Customs and\n   Border Protection, Federal Emergency Management Agency, U.S. Immigration and\n   Customs Enforcement, and Transportation Security Administration. We also reviewed\n   the Transportation Security Administration, Domestic Nuclear Detection Office, and\n   United States Secret Service\xe2\x80\x99s progress in conducting recovery audits.\n\n   To understand DHS\xe2\x80\x99 requirements under IPERA and DHS\xe2\x80\x99 policies and procedures to\n   meet those requirements, we obtained and reviewed relevant authorities and guidance.\n   These included IPERA, OMB Circular A-123, Appendix C, RequirementsfforfEffectivef\n   MeasurementfandfRemediationfoffImproperfPayments, revised Parts I and II, April 14,\n   2011, and the DHS ImproperfPaymentsfReductionfGuidebook. We also interviewed\n   officials in DHS\xe2\x80\x99 Office of Chief Financial Officer and the selected components directly\n   involved with IPERA implementation.\n\n   We contracted with an independent public accounting firm, KPMG LLP (KPMG), to\n   determine DHS compliance with IPERA. The contract required that KPMG perform its\n   audit in accordance with generally accepted government auditing standards. Those\n   standards require that the auditors plan and perform the audit to obtain sufficient,\n   appropriate evidence to provide a reasonable basis for their findings and conclusions\n   based upon the audit objectives.\n\n\nwww.oig.dhs.gov                               9                                        OIG-14-64\n\n\x0c                        OFFICE OF INSPECTOR GENERAL \n\n                               Department of Homeland Security \n\n\n\n   At each component, KPMG performed the following:\n\n       \xe2\x80\xa2\t   obtained and read relevant authorities and guidance;\n       \xe2\x80\xa2\t   interviewed component management;\n       \xe2\x80\xa2\t   reviewed component policies;\n       \xe2\x80\xa2\t   reviewed components\xe2\x80\x99 risk assessment processes;\n       \xe2\x80\xa2\t   reviewed components\xe2\x80\x99 sampling plans and methodologies; and\n       \xe2\x80\xa2\t   reviewed components\xe2\x80\x99 corrective action plans.\n\n   At DHS, KPMG reviewed DHS\xe2\x80\x99 FY 2013 AFR to determine compliance with reporting\n   requirements.\n\n   To evaluate the accuracy and completeness of DHS\xe2\x80\x99 improper payment reporting, we\n   reviewed the processes and procedures for DHS and the following DHS components:\n\n       \xe2\x80\xa2\t   United States Coast Guard;\n       \xe2\x80\xa2\t   U.S. Customs and Border Protection ;\n       \xe2\x80\xa2\t   Federal Emergency Management Agency;\n       \xe2\x80\xa2\t   U.S. Immigration and Customs Enforcement; and\n       \xe2\x80\xa2\t   Transportation Security Administration.\n\n   Specifically, we performed the following procedures:\n\n       \xe2\x80\xa2\t   reviewed components\xe2\x80\x99 risk assessments;\n       \xe2\x80\xa2\t   reconciled components\xe2\x80\x99 risk assessments with FY 2012 gross disbursement data;\n       \xe2\x80\xa2\t   reviewed sample test plans and results; and\n       \xe2\x80\xa2\t   reviewed DHS\xe2\x80\x99 processes and procedures used to estimate the improper\n            payment rate, including the risk assessment process, testing, and reporting.\n\n   We also reviewed DHS\xe2\x80\x99 efforts to recover improper payments for the following\n   components:\n\n       \xe2\x80\xa2\t Domestic Nuclear Detection Office;\n       \xe2\x80\xa2\t Transportation Security Administration; and\n       \xe2\x80\xa2\t United States Secret Service.\n\n   To evaluate DHS\xe2\x80\x99 performance in reducing and recapturing improper payments, we\n   determined DHS\xe2\x80\x99 progress in implementing Recommendation #5 from the audit report,\n   DepartmentfoffHomelandfSecurity\xe2\x80\x99sfCompliancefwithfthefImproperfPaymentsfEliminationf\n   andfRecoveryfActfoff2010, OIG-12-48, March 2012.\n\nwww.oig.dhs.gov                               10                              \t      OIG-14-64\n\n\x0c                       OFFICE OF INSPECTOR GENERAL \n\n                              Department of Homeland Security \n\n\n\n   We conducted sample payment testing for the CBP Border Security Fencing program\n   only. To complete this testing, we obtained from CBP a listing of disbursements used to\n   determine its Border Security Fencing estimate of improper payments. This listing\n   contained 186 disbursements, of which we judgmentally selected 109 to re-perform\n   IPERA sample testing. We reviewed contracts, invoices, and receiving documentation.\n   We analyzed whether CBP properly determined proper and improper payments during\n   the IPERA testing for the CBP Border Security Fencing program.\n\n   We conducted this performance audit between July 2013 and February 2014 pursuant\n   to the InspectorfGeneralfActfoff1978, as amended, and according to generally accepted\n   government auditing standards. Those standards require that we plan and perform the\n   audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\n   findings and conclusions based upon our audit objectives. We believe that the evidence\n   obtained provides a reasonable basis for our findings and conclusions based upon our\n   audit objectives.\n\n\n\n\nwww.oig.dhs.gov                              11                                       OIG-14-64\n\n\x0c                                OFFICE OF INSPECTOR GENERAL \n\n                                           Department of Homeland Security \n\n\n\n   Appendix B\n   Management Comments to the Draft Report\n                                                                                                U.S. Department of I Iomeii nd Stcurity\n                                                                                                \\Vasbingtoo, DC 20 528\n\n\n\n                                                                                               Homeland\n                                                                                               Security\n                                                                   April 3, 201 4\n\n\n                  :-.-1EMORANDUM FOR:             Anne L. Richards\n                                                  Assistant illspector General for Audits\n                                                  Office of Inspector General\n\n                  FROM:                           Jim H. Crumpat.:ker\n                                                  Director                   \\~L~\n                                                  Departmental GAO-OIG Liaison Office\n\n                  SUBJECT:                        OIG Draft Report: "FY 2013 A udit of tbe Department of Homeland\n                                                  Security\'s Compliance with the Improper Payments Elimination and\n                                                  Recovery Act of 2010" (Project No. 13-01 R-Alffi-DHS)\n\n\n                  Thank you for the oppot1unity to review and comment on this draft report. The U.S. D epartment of\n                  Homeland Security (DHS) Management Directorate (MGMT) appreciates the Office of [nspector\n                  General\'s (OlG\'s) work in planning and conducting its review and issuing this report.\n\n                  DHS MGMT is pleased to note that for the fifth year in a row, KPMG LLP, the Department\'s\n                  independent auditor, d id not find any instances of noncompliance with the Improper Payments\n                  Elimination and Recovery Act of20 l 0 (IPERA) and its predecessor law the Improper Payments\n                  Information Act nf2002. In addition, OJG did not identify any new internal control weaknesses and it\n                  determined that the U .S. Customs and Border Protection had properly performed lPERA disbursement\n                  testing for the Border Security Fencing program. OIG also found that DR S and the Components\'\n                  efforts during the past year had resulted in the c losing of all open prior year TPERA-related\n                  recommendations except for one.\n\n                  The draft report did not c ontain any new recommendations; however, OfG did request an update on\n                  progress being made to close the one remaining open prior year recommendation with w hich DRS\n                                                                         1\n                  MGMT had coocun\xc2\xb7ed. Specifically, OIG recommended that the DHS Chief Financial Officer\n                  (CFO):\n\n                  Recommendation: Ensure that the DHS Risk Management and Assumnce Division requires all\n                  Components to provide detailed explanations and references to supporting documentation as to how\n                  they detem1ined each risk weight and risk score.\n\n\n\n                  1\n                    "Department of Homeland Security\'s FY 201 2 Compliance with the Improper Payments Elimination and Recovery Act\n                  of 20 10," OJG-13-47 (Washington, D.C., March 12, 2013).\n\n\n\n\nwww.oig.dhs.gov                                                      12                                                                   OIG-14-64\n\n\x0c                               OFFICE OF INSPECTOR GENERAL \n\n                                         Department of Homeland Security \n\n\n\n\n\n                  Update: The DHS CFO\'s Risk Management and Assurance Division (RM&A) continues to take\n                  actions during FY 20 14 to fully meet the intent of this recommendation. Specifically, for the current\n                  year, RM&A has provided Componen L~ with g uidance and direction on Lhe proper supporllhat is\n                  necessary to substantiate their risk scores and risk weights. Additionall y, RM&A\'s FY 2014 processes\n                  a nd procedures include an extensive, beginning to end, review and analysis of Components\' risk\n                  assessment documentation that will ensure Component risk assessments\' weights and scores are fully\n                  substantiated by supporting documentation. This beginning to end review and analysis consists of the\n                  comparison of prior to current year risk assessments and the assurance thai current year risk weights\n                  and scores correlate to current year net testable disbursements. As part of the FY 2014 IPERA testing\n                  cycle, RM&A has also implemented the use of a standardized interview temp late that provides\n                  Components with a structured questionnaire to ensure risk assessment content is based on identifiable\n                  progr am changes and risks. Estimated Completion Date: August 3 1, 2014\n\n                  Again, thank you for the opportunity to review and comment on this draft report. Technical\n                  comments were previously provided under separate cover. Please feel free to contact me if\n                  you ha ve any questions. We look forward to workin g with you in the future.\n\n\n\n\n                                                                                                                      2\n\n\n\n\nwww.oig.dhs.gov                                                 13                                                         OIG-14-64\n\n\x0c                          OFFICE OF INSPECTOR GENERAL \n\n                                  Department of Homeland Security \n\n\n\n   Appendix C \n\n   IPERA Process \n\n   On July 22, 2010, the President signed Public Law 111-204, ImproperfPaymentsf\n   EliminationfandfRecoveryfActfoff2010 (IPERA or the Act), which amended the Improperf\n   PaymentsfInformationfActfoff2002 (IPIA). As defined by the IPIA, the term improper\n   payment means:\n\n       A.\t any payment that should not have made or that was made in an incorrect\n           amount (including overpayments and underpayments) under statutory,\n           contractual, administrative, or other legally applicable requirements; and\n       B.\t includes any payment to an ineligible recipient, any payment for an ineligible\n           good or service, any duplicate payment, any payment for a good or service not\n           received (except where such payments where authorized by law), and any\n           payment that does not account for credit for applicable discounts.2\n\n   IPERA requires that the head of each agency periodically review all programs and\n   activities administered, and identify the programs and activities that may be susceptible\n   to significant improper payments. These reviews shall take into account risk factors\n   likely to contribute to the susceptibility of significant improper payments. According to\n   IPERA, beginning with fiscal year 2013, a program is susceptible to improper payments if\n   improper payments in the program or activity in the preceding fiscal year exceeded $10\n   million and account for 1.5 percent or more of program outlays or $100 million.\n\n   For each program identified as susceptible to significant improper payments, IPERA also\n   requires that the head of the agency produce a statistically valid estimate, or use an\n   OMB-approved methodology to estimate improper payments made by each program\n   and activity, and include those estimates in the accompanying materials of the agency\xe2\x80\x99s\n   annual financial report. For FY 2013, DHS identified 11 programs as high risk for\n   improper payments based on FY 2013 risk assessments and FY 2012 payment sample\n   testing. Of the $13.8 billion in payments made for these high-risk programs, DHS\n   estimates it made a total of $178 million in improper payments, a 1.30 percent error\n   rate.\n\n\n\n\n   2\n    The Office of Management and Budget Circular A-123, Appendix C, RequirementsfforfEffectivef\n   MeasurementfandfRemediationfoffImproperfPayments, April 14, 2011, also requires a payment to be\n   considered improper when an agency\xe2\x80\x99s review is unable to discern whether the payment was proper as a\n   result of insufficient or lack of documentation.\n\nwww.oig.dhs.gov                                     14                                     \t      OIG-14-64\n\x0c                          OFFICE OF INSPECTOR GENERAL \n\n                                  Department of Homeland Security \n\n\n\n           Table 1: DHS FY 2013 Estimated Improper Payment Amounts and Rates \n\n                    DHS Component                   Estimated   Improper   Improper\n                                                    Payment     Payments   Payment\n                                                   Population ($ millions)  Rate (%)\n                                                   ($ millions)\n   U.S. Customs and Border Protection\n       Border Security Fencing                          $173          $0       0.01%\n       Custodial - Refund & Drawback                  $1,937          $7       0.36%\n   Federal Emergency Management Agency\n       Disaster Relief Program \xe2\x80\x93 Vendor Payments        $750        $23        3.11%\n       Insurance \xe2\x80\x93 National Flood Insurance           $2,127          $0       0.02%\n       Program\n       Grants \xe2\x80\x93 Public Assistance Programs            $3,670        $41        1.11%\n       Grants \xe2\x80\x93 Homeland Security Grant Program       $1,699        $22        1.31%\n       Grants \xe2\x80\x93 Assistance to Firefighters Grants       $425          $5       1.07%\n       Grants \xe2\x80\x93 Transit Security Grants Program         $328          $7       2.06%\n       Grants \xe2\x80\x93 Emergency Food and Shelter               $89          $0       0.34%\n       Program\n   U.S. Immigration and Customs Enforcement\n       Enforcement and Removal Operations             $1,691        $73        4.33%\n   National Protection and Programs Directorate\n       Federal Protective Service                       $878          $0       0.03%\n   DHS-All Programs                                  $13,767       $178        1.30%\n   Source: Data from DHS FY 2013 Agency Financial Report. DHS calculated its FY 2013 estimated\n   improper payment rates using FY 2012 payment data. Improper payment rate variances due to\n   rounding.\n\n   On October 23, 2012, the Office of the Chief Financial Officer, DHS Risk Management\n   and Assurance Division (RM&A Division) issued version 3.0 of its ImproperfPaymentsf\n   ReductionfGuidebook (DHS Guidebook).3 This Guidebook supports the Department\xe2\x80\x99s\n   efforts to identify, reduce, report, and recoup improper payments. It also provides DHS\n   Components with instructions for complying with IPERA, Executive Order 13520, and\n   OMB guidance for the implementation of IPERA.\n\n\n\n\n   3\n    On June 10, 2013, the DHS Risk Management and Assurance Division issued version 4.1 of its Improperf\n   PaymentsfReductionfGuidebook for use in FY 2014.\n\nwww.oig.dhs.gov                                      15                                             OIG-14-64\n\x0c                        OFFICE OF INSPECTOR GENERAL \n\n                                Department of Homeland Security \n\n\n\n   The diagram below shows the process DHS Components are required to follow to\n   identify, estimate, report, and recover improper payments.\n\n\n\n\n   Source: Information obtained from the Office of Chief Financial Officer, Risk Management and\n   Assurance Division, DHSfImproperfPaymentsfReductionfGuidebook, Version 3.0, October 23,\n   2012.\n\n\n\n\nwww.oig.dhs.gov                                  16                                         OIG-14-64\n\n\x0c                       OFFICE OF INSPECTOR GENERAL \n\n                              Department of Homeland Security \n\n\n\n   Appendix D\n   Open and Resolved Recommendation\n           Open and Resolved Recommendation as previously reported in the\n           Department of Homeland Security\xe2\x80\x99s FY 2012 Compliance with the Improper\n           Payments Elimination and Recovery Act of 2010, OIG-13-47, March 2013\n\n           We recommend that the Chief Financial Officer, Department of Homeland\n           Security ensure that\xe2\x80\x94\n\n           Recommendation\n\n           DHS Risk Management and Assurance Division requires all components to\n           provide detailed explanations and references to supporting documentation as to\n           how they determined each risk weight and risk score.\n\n\n\n\nwww.oig.dhs.gov                              17                                     OIG-14-64\n\n\x0c                       OFFICE OF INSPECTOR GENERAL \n\n                              Department of Homeland Security \n\n\n\n   Appendix E\n   DHS IPERA Risk Conditions\n   DHS IPERA Risk      Description\n   Conditions\n   Payment             Management\xe2\x80\x99s role in the creation, implementation, and\n   Processing          enforcement of internal controls.\n   Controls\n                       Existence of current and accurate internal control documentation.\n\n                       Assessment of design and operating effectiveness of internal\n                       control over payment processes.\n\n                       Identification of deficiencies within financial processes and internal\n                       control related to payment processes.\n\n                       Presence and effectiveness of compensating controls to reduce the\n                       risk of making an improper payment.\n\n                       Estimated error rates and amounts from previous year\xe2\x80\x99s testing.\n\n                       Extent that relevant external databases are used to verify recipient\n                       eligibility (e.g., Do Not Pay Lists).\n   Quality of Internal Periodic internal program reviews to determine if payments are\n   Monitoring          made properly.\n   Controls\n                       Presence and effectiveness of compensating controls that may\n                       provide real or near real-time monitoring capability.\n\n                       Support for test of design and test of operating effectiveness work.\n\n                       Extent and quality of monitoring to recipients to verify that funds\n                       are used for their intended purpose (Grants).\n\n\n\n\nwww.oig.dhs.gov                               18                                        OIG-14-64\n\n\x0c                    OFFICE OF INSPECTOR GENERAL \n\n                           Department of Homeland Security \n\n\n\n   DHS IPERA Risk   Description\n   Conditions\n   Human Capital    Level of turnover within the program and average tenure of\n                    program staff.\n\n                    Qualifications of program staff (e.g., experience and training of\n                    personnel determining eligibility or certifying payments).\n\n                    Existence of pressures to perform (e.g., emphasis on expediting\n                    payments).\n\n                    Level of oversight and opportunity for fraudulent activity (e.g., the\n                    organizational structure of the program staff).\n   Complexity of    Time the program has been in operation.\n   Program\n                    Variability of program interpretation and application (e.g., Laws,\n                    regulations, or standards required for the program\xe2\x80\x99s compliance).\n   Nature of        Types of payments (e.g., contracts, payroll, grants).\n   Payments and\n   Recipients       Volume, size, and duration of payments.\n\n                    Number of vendors or contracts paid by the program.\n\n                    Identification of deficiencies or history of improper payments\n                    within recipients.\n\n                    Type and size of program recipients and existence of subrecipients.\n\n                    Maturity of recipients\xe2\x80\x99 finance function and financial infrastructure.\n\n                    Recipients\xe2\x80\x99 experience with administering Federal payments.\n\n                    Number of vendors being paid by the program (Contracts).\n\n\n\n\nwww.oig.dhs.gov                            19                                           OIG-14-64\n\n\x0c                    OFFICE OF INSPECTOR GENERAL \n\n                           Department of Homeland Security \n\n\n\n   DHS IPERA Risk   Description\n   Conditions\n   Operating        Existence of factors in the operating environment that necessitate\n   Environment      or allow for loosening of financial controls.\n\n                    Recent major changes in program funding, authorities, practices, or\n                    procedures.\n\n                    Level of fraudulent activities associated with the operating\n                    environment.\n\n                    Management\xe2\x80\x99s experience with designing and implementing\n                    effective compensating controls.\n\n                    Issues identified with a component\xe2\x80\x99s financial systems.\n   Contract         Level of contract management weaknesses identified in previous\n   Management       payment testing.\n\n                    Frequency with which named contracting officer\xe2\x80\x99s representative\n                    reviews and approves invoices prior to payment.\n\n                    Level of familiarity of goods and services listed on invoices.\n\n                    Sufficiency of time to review invoices prior to payment.\n\n                    Complexity of funding sources, cost allocations, and contract lines.\n\n                    Timely payment of invoices per OMB guidance, which calls for\n                    disbursement of funds within 15 days of receipt of a proper invoice.\n\n                    Advantageous discounts are applied to those payments made\n                    within the discount window.\n\n                    Contractors are not reviewing and approving invoices on behalf of\n                    the government.\n\n                    Timely receipt and acceptance of goods and/or services.\n\n                    Proper calculation of prompt payment interest, if invoice is paid late.\n\n\n\nwww.oig.dhs.gov                            20                                        OIG-14-64\n\n\x0c                        OFFICE OF INSPECTOR GENERAL \n\n                                Department of Homeland Security \n\n\n\n   DHS IPERA Risk        Description\n   Conditions\n   Grant                 Nature of Recipients:\n   Management\n                         SF 133 Audit Clearinghouse information on quality of controls\n                         within grant recipients.\n\n                         Layers of grantees receiving program payments.\n\n                         Quality of Internal Monitoring Controls:\n\n                         The extent and quality of monitoring of recipients to verify that\n                         funds are used for their intended purpose.\n\n                         Limited access to documentation to support disbursements to\n                         grant recipients.\n   Source: Office of Chief Financial Officer, Risk Management and Assurance Division, DHSf\n   ImproperfPaymentsfReductionfGuidebook, Version 3.0, October 23, 2012.\n\n\n\n\nwww.oig.dhs.gov                                  21                                          OIG-14-64\n\n\x0c                      OFFICE OF INSPECTOR GENERAL \n\n                             Department of Homeland Security \n\n\n\n   Appendix F\n   Major Contributors to This Report\n   Sandra John, Director\n   Devon Houston, Audit Manager\n   Natalie Fussell, Program Analyst\n   Jason Kim, Auditor\n   Hope Franklin, Auditor\n   Alejandro Jaca-Mendez, Auditor\n   J. Christopher Chamberlain, Program Analyst\n   Jeff Mun, Auditor\n   Mohammad Islam, Statistician\n   Kevin Dolloson, Communications Analyst\n   Karen Gardner, Independent Referencer\n\n\n\n\nwww.oig.dhs.gov                             22                   OIG-14-64\n\n\x0c                      OFFICE OF INSPECTOR GENERAL \n\n                            Department of Homeland Security \n\n\n\n   Appendix G\n   Report Distribution\n   Department of Homeland Security\n\n   Secretary\n   Deputy Secretary\n   Chief of Staff\n   Deputy Chief of Staff\n   General Counsel\n   Executive Secretary\n   Director, GAO/OIG Liaison Office\n   Assistant Secretary for Office of Policy\n   Assistant Secretary for Office of Public Affairs\n   Assistant Secretary for Office of Legislative Affairs\n   Component Liaison, U.S. Coast Guard\n   Component Liaison, U.S. Customs and Border Protection\n   Component Liaison, Federal Emergency Management Agency\n   Component Liaison, U.S. Immigration and Customs Enforcement\n   Component Liaison, Transportation Security Administration\n   Chief Privacy Officer\n\n   Office of Management and Budget\n\n   Chief, Homeland Security Branch\n   DHS OIG Budget Examiner\n\n   Congress\n\n   Committee on Homeland Security and Governmental Affairs of the Senate\n   Committee on Oversight and Governmental Reform of the House of Representatives\n\n\n\n\nwww.oig.dhs.gov                           23                                    OIG-14-64\n\n\x0cADDITIONAL INFORMATION\n\nTo view this and any of our other reports, please visit our website at: www.oig.dhs.gov.\n\nFor further information or questions, please contact Office of Inspector General (OIG)\nOffice of Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov, or follow us on\nTwitter at: @dhsoig.\xe2\x80\x9d\n\nOIG HOTLINE\n\nTo expedite the reporting of alleged fraud, waste, abuse or mismanagement, or any\nother kinds of criminal or noncriminal misconduct relative to Department of Homeland\nSecurity (DHS) programs and operations, please visit our website at www.oig.dhs.gov\nand click on the red tab titled "Hotline" to report. You will be directed to complete and\nsubmit an automated DHS OIG Investigative Referral Submission Form. Submission\nthrough our website ensures that your complaint will be promptly received and\nreviewed by DHS OIG.\n\nShould you be unable to access our website, you may submit your complaint in writing\nto:\n\n       Department of Homeland Security \n\n       Office of Inspector General, Mail Stop 0305 \n\n       Attention: Office of Investigations Hotline \n\n       245 Murray Drive, SW \n\n       Washington, DC 20528-0305 \n\n\nYou may also call 1(800) 323-8603 or fax the complaint directly to us at\n(202) 254-4297.\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'